Digital Trust Ecosystem Framework a Valuable

Complement to COBIT, Other Frameworks

ALIREZA GHASEMI
ISACA’s Digital Trust Ecosystem Framework (DTEF) is new to the scene, but ISACA has long been a respected leader when it
comes to developing impactful industry frameworks.
In fact, the COBIT framework is one of ISACA’s best-known resources globally. If you are reading this blog post, there is an
excellent chance you know a passionate COBIT user or perhaps are one yourself. It is also likely you might be wondering about
the relationship between COBIT and DTEF. They are highly complementary (by design) and each supports enterprise business
needs. DTEF was expanded and adapted from the Business Model for Internet Security that ISACA released back in 2010. So, if
I am using COBIT already, why do I need DTEF? Let’s try to address that question here.
DTEF was designed to be compatible with several existing frameworks and best practices, including COBIT, ITIL, GDPR, and
numerous ISO and NIST standards. As noted in a previous blog post, “While COBIT remains the powerhouse framework for
enterprise governance of information and technology, DTEF offers a broader perspective on digital trust. The two
frameworks complement each other beautifully, allowing organizations to harness their combined strengths and conquer
the digital frontier.”
Let’s go into more detail on both to better understand the potential connection points. DTEF helps define high-level
understanding of how the enterprise will implement, maintain and monitor digital trust among its stakeholders. It includes
the tenons that form the connective tissue among the domains – things like human factors, culture, and communications.
DTEF will enable users to understand what needs to be done (by themselves and by third-party partners and providers) to
achieve and maintain trust for customers.
Take the common challenge that many organizations are experiencing of how to implement AI. Rather than go right to the
technical interpretation, DTEF will help organizations think through questions like: How can AI help us increase trust? How can
AI help us better understand what our customers are looking for? How can we measure whether we are fulfilling those
expectations? In a big-picture sense, DTEF goes right to the enterprise’s bottom line faster than anything you could devise
from a technical standpoint because it frames modern business challenges in easy-to-understand, human terms that will
resonate with a wide cross-section of customers, third parties and other key stakeholders.
COBIT, meanwhile, remains a valuable driver of business transformation as the leading framework for governance over
information and technology. COBIT identifies and enables practitioners to implement the specific business processes needed
to achieve stakeholder objectives, of which digital trust factors are a subset. Additionally, COBIT defines a broad target state
for the enterprise with specific process systems, and actionable activities to achieve that state, including those processes that
affect (or are affected by) the digital trust ecosystem. Best of all, it can be customized to meet the enterprise’s specific
governance needs.
As longtime COBIT users are aware, COBIT was specifically designed to integrate effectively with other frameworks, industry
standards and best practices. So, how can utilizing both DTEF and COBIT bring out the best from each framework?
Considering the “ecosystem” nature of DTEF, it is important to note that this model, as mentioned above, is a not a
standalone framework and should be adopted alongside an enterprise’s existing governance system. To avoid framework
overload and exhaustion, think about DTEF as middleware between multiple frameworks from a digital trust lens, where
middleware strives to enable interactions between complex systems that typically don’t talk to each other. Therefore, it is
paramount to consider each existing framework, as they all approach value creation from different perspectives and can co-
exist in an enterprise digital trust ecosystem.
There is a high degree of difficulty in building and preserving trust given today’s climate of cyberthreats, privacy concerns and
pervasive misinformation, making DTEF a tremendous resource for enterprises that want to do right by their customers – and
gain a competitive advantage while doing so. Everything we do today around security, privacy, enterprise risk and governance
is about fostering a digital trust relationship. That governance piece, with the ongoing proliferation of data and technology-
driven business processes, is more challenging than ever. That means utilizing COBIT and DTEF together gives organizations an
unmatched opportunity to be more secure, more resilient and more trustworthy than their competitors.
Why COBIT
Effective Governance
Effective governance over information and technology is critical to business success, and this new
release further cements COBIT’s continuing role as an important driver of innovation and business
transformation.

More Implementation Resources

In addition to the updated framework, COBIT now offers more implementation resources, practical
guidance and insights, as well as comprehensive training opportunities. Implementation is now more
flexible, enabling you to right-size your governance solution using COBIT, and training opportunities
will help you to derive maximum ROI from your solution.
Easy Integration
COBIT 2019 is specifically designed to play well with others. Guidance is provided to help you integrate
the industry standards, guidelines, regulations and best practices unique to your enterprise into your
governance solution using COBIT.

COBIT Case Studies

COBIT case studies demonstrate the benefits, common applications, and uses of COBIT. Explore our
library of case studies, or submit one yourself.
Industry News Articles
A collection of the latest relevant articles providing insight, practical tips and knowledge sharing
from experts in security, risk, governance, privacy and audit.
Industry News Archived Articles By Year

Five Steps for Effective Auditing of IT Risk

Management Using ISACA’s IT Risk Management
Audit/Assurance Program
With the increasing complexity of IT systems and their widespread implementation in virtually all spheres of life (e.g.,
medicine, banking, manufacturing, education), managing IT risk effectively becomes extremely challenging. In the most IT-
mature industries, regulators already expect organizations to have mature IT risk management programs operating at the first
and second lines of defense1 and providing holistic coverage of all possible IT risk. On top of that, IT risk management
programs must be well documented, sustainable, aligned with the overall enterprise risk management framework and closely
supervised by executive management. Failure to design and manage effective IT risk management functions could result in
exposure to material business risk, inadequate prioritization of risk remediation efforts and the excessive cost for IT risk
mitigation. Regular internal audit reviews of IT risk management constitute the third line of defense, keep the first and second
lines fit and healthy, and prevent typical slip ups in the IT risk management program.

The steps needed to be done by the third line to evaluate the effectiveness of the IT risk management program are the focus
here. Key challenges for IS auditors may include gaps between IT and operational risk management functions, missing or
unfilled IT risk management roles, undefined risk indicators and a lack of clear understanding of key IT issues at top
management levels. In addition, a well-designed control framework should be supported by effective and sustainable
operational execution. Industry best practices and frameworks such as COBIT can help tackle these challenges, save time and
add structure to the audit approach. Also, they define principles that contribute to consistent, comparable and reliable
results.
Five Steps to Maximize Value and Efficiency in IS Audits
IS auditors must consider many factors adding complexity to
planning and execution of audit projects focused on the IT risk
management program. Adapting ISACA’s IT Risk Management
Audit/Assurance Program and following a clear 5-step process
can help enterprises reach comprehensive audit conclusions,
add value and improve the organization.
Step 1: Prepare by Mapping to Relevant Standards
The ISACA audit program is based on COBIT 5 and, COBIT 2019 is consistent with recognized best practices, standards and
frameworks. ISACA designed and created the IT Risk Management Audit/Assurance Program primarily as a supplemental
resource for audit professionals. It needs to be tailored to the specific industry and circumstances presented by the
particular systems or information technology environment. IS auditors are encouraged to apply their professional judgment
to ensure that all proper information, procedures and tests are included in the audit program. Moreover, in some
industries, regulators might have increased expectations around the maturity of IT risk management programs. To avoid the
associated compliance risk and potential fines, it is important to verify that mandatory regulatory requirements are not
overlooked during the planning phase. Thus, as a first step, IS auditors should map the audit program to relevant industry
regulation, standards and guidelines. This exercise will help reveal potential gaps in the list of control objectives proposed
by ISACA compared to the specific circumstances of the enterprise. For example, the requirements of the FFIEC IT
Examination Handbook2 are applicable for the financial industry in the United States. The requirements of the US National
Institute for Standards and Technology (NIST) Special Publication 800-37 Rev. 2 Risk Management Framework (RMF) for
Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy3 and International
Organization for Standardization (ISO) ISO 31000—Risk management4 are used in the public sector. In most cases, the
ISACA program will not require a lot of changes. The key point is to verify that the mandatory regulatory requirements for a
specific industry are taken into consideration.
Step 2: Adjust for Audit Scope and Objectives
After aligning the program with industry standards and requirements, further adjustment regarding audit scope and
objectives should be considered. The ISACA program proposes 21 predefined controls mapped to 7 control objectives (COs).
The COs address IT risk governance and framework, management processes, events identification, assessment and response,
and maintenance and monitoring of remediation action plans. The IS auditor might include all control objectives in the audit
program, or only some of them, if the scope is limited to specific themes (e.g., annual risk assessment, risk monitoring and
reporting).
Step 3: Prioritize Controls and Align to Budget
After confirming relevance and completeness of control objectives, IS auditors may proceed with a preliminary analysis of IT
risk management processes by identifying existing controls and potential weaknesses. Assessing inherent and residual risk for
each process helps to prioritize the areas requiring the most attention and budget. ISACA control objectives are self-contained
and can be distributed among audit team members and tested in parallel. To simplify coordination, auditors may group
testing of governance (CO1) and IT risk management framework (CO2) controls, and also IT risk management process (CO3),
risk assessment (CO5) and risk response (CO6) controls. Testing of IT risk event identification (CO4) and maintenance and
monitoring of IT risk action plans (CO7) can be reviewed simultaneously with other controls.
Step 4: Test Controls
Testing is the most labor-intensive step. Reviewing the governance (CO1) and IT risk management framework (CO2) controls,
IS auditors should ensure that senior IT and enterprise management and the board of directors (BoD) regularly and routinely
consider, monitor and review the IT risk management function and define the organization’s appetite for IT risk. Inspecting
minutes of recent board meetings, interviewing IT management and reviewing documentation of IT risk management
practices can inform conclusions about governance. The IS auditor should determine whether IT risk management framework
methodology and definitions align with the enterprise resource monitoring (ERM) framework by checking scales used for risk
classification in IT and ERM processes (e.g., probability, expected losses/costs, materiality levels, nonfinancial factors).

To test the IT risk management process (CO3) controls, the IS auditor should determine whether the defined risk
management framework is actually enforced; therefore, the auditor must understand the existing process for risk
identification and verify that a common approach is used to identify, assess and record risk across departments; to review
criteria for measuring risk impact, probability and timeframes; and to prioritize risk. The auditor should ensure that the risk
process is well documented and shared with the relevant teams.
While reviewing the risk event identification (CO4) controls, the IS auditor should determine whether the important risk
events and near misses affecting the IT function are identified, analyzed, risk rated and documented. Then, as part of the IT
risk assessment (CO5) review, the IS auditor should ensure that IT risk scenarios are assessed on a recurring basis using
qualitative and quantitative methods that assess the likelihood (probability) and impact of identified risk (figure 1).5

For each identified risk, an organization should define and

implement the IT risk response (CO6). To ensure proper execution,
the IS auditor must confirm that the risk assessment generated a
risk mitigation strategy and a risk action plan. The IT risk action
plan produced in the previous step should be monitored by
management for appropriate execution, incurred costs, benefits
and residual risk (CO7). The IS auditor can confirm the
effectiveness of this process by reviewing recent risk response
plans and performing limited retesting of implemented controls.
Step 5: Consolidate and Present Results
Once control testing is completed, the IS auditor will have a comprehensive view of the IT risk management program,
including its integration into the ERM framework; the overall governance, roles and responsibilities of main contributors; and
the level of IT risk appetite within the organization. Opinions can be prepared for each of the tested control objectives, and
the auditor may inform management of the reasons for passing/failing the sections, highlight any weak areas and
demonstrate potential impacts on the organization.
 Achieving Digital Business Transformation Using COBIT 2019

In today’s economy, digital business transformation is not an option—it is business imperative. Many enterprises develop a
false sense of transformation security by running isolated digital projects and change initiatives that are not strategically
transformational. Business leaders must recognize the fundamental difference between mere change and transformation
before they can lead their organizations on the journey toward authentic digital transformation.

Eighty-five percent of enterprise decision makers say they have a time frame of 2 years to make significant inroads into digital
transformation or they will fall behind competitors and suffer financially.1

Fifty-six percent of chief executive officers (CEOs) say digital transformation has led to increased revenue and profits.2

While the mandate to digitize and transform is unquestionable, leaders frequently ask, “How and what do we transform?”
The COBIT 2019 framework can answer these questions and help leaders not only to remove barriers, but also sustain
strategic digital business transformation.
What Is Digital Business Transformation?
Digital business transformation is not about getting an organization to use a specific set of new technologies; rather, it
involves understanding technology and how to use it provides value and new experiences for customers, partners,
stakeholders and employees. It is about the organization’s ability to react quickly, utilize new technologies and procedures
successfully, and thrive now and in the future.

“When a snake sheds its skin, it changes; when a caterpillar becomes a butterfly, it transforms.”3 Simply stated, change is
focused on improving the past or the current state while transformation is forward-looking and changes or creates the future.
Even though change is good, it is only a better version of the past. There are some dangerous drawbacks for organizations
that fall under the illusion of transformation when, in fact, they have only implemented changes. Until business leaders,
governing boards (i.e., boards of directors [BoDs]), executives and senior management understand the difference between
transformation and change, they will perpetuate the illusion of transformation when, in actuality, they are only changing the
past. Digital business transformation is the process of leveraging or integrating digital technology into a business—a
transformation that can impact technology, culture, work environment and more. Uber for example has been able to digitally
transform the taxi industry by leveraging the power of technology. Other examples are Airbnb in the hotel industry, and Skype
and WhatsApp in the communication industry, just to mention a few.
Misconceptions of Digital Business Transformation
There are many misconceptions about digital business transformation. Some examples include:
•Digital business transformation can be achieved with the old mind-set and business mode—This misconception is the most
perplexing because the word “transform” implies that a business process or product is no longer what it was before. A
business model is an organization’s plan on how to make money or profit. A business mind-set is understanding strategy and
implementing it into your business practices. A new business mind-set is doing something new (strategically) to create
something different. A new mindset seeks out opportunities in their market and other markets, which can be exploited. It also
remains acutely aware of potential disruptors, and how to respond to them. It is an open mind-set that adapts well to rapid
transformation, and to challenges that organization might not have faced before. In today’s digital economy, organizations
that want to be competitive must include digital in the heart of their business model, i.e. must have a digital business model
as well as a new business mind-set in order to thrive. For example, the traditional taxi industry has been struggling to
maintain high standards at low prices. Players in this industry believes (old mind-set) the taxi industry will continue to enjoy
high prices and low standards (business model) and no one saw Uber coming with a new mind-set and new business model.
Uber’s business model (new business model) involves collaboration with drivers who have access to a car and who want to
earn money and passengers using the platform. This model uses capacity more efficiently than traditional taxis by enabling
drivers to benefit from a larger share of working time and miles driven. It then coordinates drivers who offer a highly scaled
and distributed transport platform. Uber empowers users (people who want to go somewhere) to book its drivers via a
mobile application. Uber came with a digital business model and a new mind-set by creating a platform for drivers and riders.
Transformation can only be achieved with a shift in mind-set and business model.
Organizations need a big budget to start digital business transformation programs—Organizations with modest budgets can
fund digital business transformation. Many examples indicate that big-budget digital business transformation projects
eventually fail, while those undertaken with small investments in critical areas not only succeed, but also last. One example of
a big-budget project failure is the British Broadcasting Corporation (BBC). In 2013, the BBC cancelled its Digital Media
Initiative (DMI), which was meant to fully prepare the BBC for the on-demand digital world. The project had a budget of
US$162.4 million.4
Everyone in the organization understands digital business transformation—Experience shows that understanding varies across
the enterprise regarding the focus, extent and purpose of digital business transformation programs. It is possible that
everyone within an organization has a slightly different definition when it comes to digital business transformation and the
focus, extent, and purpose of embarking on it. This disparity is one of the main reasons for the failure of programs. It is
important for the leadership of an organization to clearly define and address this to achieve universal understanding at the
enterprise.
Business leaders often stick to what they know and what their organizations do well—Being the strongest or largest player in
an industry no longer guarantees success in today's global marketplace. Remember: “What got you here won’t get you
there.”5 When organizations fail to step out of their comfort or success zones and step into the transformation zone, they risk
missing opportunities and becoming obsolete in an ever-changing and competitive world. No organization is immune to
disruption. Motorola, Kodak, Nokia and Blackberry are examples of organizations whose business leaders failed to step out of
their comfort zones. Today, many of the products for which these organizations are known have become almost obsolete.
Why Undertake Digital Business Transformation?
Most leaders recognize the benefits of digital business
transformation—yet many organizations still have not
undertaken it fully. Some enterprises make nonstrategic digital
changes, but relatively few transform their digital businesses
strategically.

The question “Why transform?” is the starting point. Many

business leaders know the reasons why they need to transform
their enterprises, but often they do not know how, and they do
not act.
Pain Points and Trigger Events of Digital Business Transformation
Pain points and trigger events are things that an organization must pay attention to when planning a digital business
transformation initiative. These factors can make the transformation initiative unsuccessful if not carefully considered and
addressed:
•Organizational culture—Culture is frequently one of the most difficult challenges to the successful implementation of digital
business transformation initiatives. Creating the right organizational culture is important for the success of digital business
transformation. Changing organizational culture cannot happen until the leadership mind-set is aligned and leads the way
toward digital business transformation.
•Resistance from management—Some members of the leadership team may not share the view of why the organization
needs to embark on a digital transformation initiative. The initiative could be perceived as a threat, so the CEO must work
closely with other executives until there is 100% buy-in. Only then will the leadership team be prepared to address the wider
cultural challenge in the organization.
•Employee pushback (i.e., fear and/or resistance from employees)—Employees may view the changes with skepticism and
fear that digital transformation might threaten their jobs. Often, employees resist the changes, either consciously or
unconsciously. Also, corporate culture is designed to maintain an organization’s status quo. Most employees have witnessed
failed projects and programs in the past, so it is no surprise that they might view digital transformation initiatives with
skepticism. All of this leads to resistance.
 •Lack of expertise to lead digitization initiatives—This happens when people without digital
business transformation skill sets and capabilities lead digital business transformation initiatives.
•Lack of a digitization strategy—Starting digital initiatives without digital being integral to the business strategy is a recipe for failure.
•Lack of alignment between digital business transformation strategy and business goals, objectives—Digital business transformation
initiatives often deliver less than their full potential because their objectives are unclear from the outset. Failure is also all but assured if digital
transformation objectives, even when well-articulated, are not aligned to business goals and objectives.
•Lack of an innovative business environment—Innovation is the foundation for transformation. It is vital to ensure that an environment that
enables and encourages innovation, effective communication, engagement and collaboration is fostered.
•Lack of vision, strategy and/or road map for transformation—Leaders must eliminate any ambiguity from the organization and create a true
transformation vision, otherwise the organization will remain static. Senior executives are responsible for clarifying and communicating the overall
digital transformation vision and strategy organizationwide.
•Ambiguity between transformation and change—The leadership of the organization must clearly define what change is and what transformation
is, otherwise the organization may be lulled into a false sense of transformation while what they are actual doing is simply changing the past.
•Lack of engagement with customers to understand their behaviours and expectations—It is important to identify areas where the organization
can differentiate itself from competitors as customer expectations change. Competition in the digital economy will be won and lost based on an
organization’s understanding of its customer expectations and its ability to deliver an outstanding experience.
•Lack of a digital business transformational mind-set—True digital business transformation leadership requires the right mind-set, which often
requires leaders to shift their own thinking to effectively address the challenges posed by an evolving digital economy.
Digital business transformation can come in many forms, and every organization has its own unique needs and priorities.
Regardless of what those needs are, the right framework can help stakeholders across the business and IT come together and
decide what and how to transform. This, in turn, introduces consistency into the organization (vs. chaos) and provides a
common vocabulary for exploring what to transform. By agreeing on how the organization will determine what to transform,
everyone will be working from the same blueprint and become familiar with the process. A common framework will not
restrict innovation; on the contrary, it often opens many people to possibilities they would otherwise not have considered.

Adopting a common framework leads people away from spontaneous reactions, trendy—but not necessarily apt—technology,
and tunnel vision focused exclusively on sales. No organization needs to be influenced into making decisions that encourage
siloed initiatives or fail to align with the transformation strategy, road map and priorities.

COBIT 2019 addresses the appropriate objects, goals and methodology of digital business transformation.
How to Transform Digitally: COBIT 2019
In light of digital business transformation, information and technology (I&T) have critical roles in supporting, sustaining and
growing business.

COBIT is a framework that provides globally accepted principles, practices, tools and models to help increase the trust in, and
value from an enterprise I&T.

COBIT clearly distinguishes between the governance and management objectives. In alignment with the International
Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 38500, COBIT
presents governance objectives in terms of evaluate, direct and monitor and management objectives as plan, build, run and
monitor activities to achieve the enterprise objectives.6

It is good to mention that COBIT is a guide, you do not implement COBIT rather it must be adapted and adopted to develop a
fit for purpose governance and management of Information and Technology solution. Technology is a means by which digital
transformation is delivered.
Step 1
Establish a Digital Business Transformation team/committee led by the senior management or top-level executives. Transformation is
fundamental to the organization and can impact everyone, so it is vital that the right executives are involved to ensure that no one is
left out. It is also important to educate and align leadership mind-sets. This might be done via meetings or workshops that focus on
the what, why and how of digital business transformation. Educating everyone within the organization helps all employees
understand the need to transform and the risk that digital disruption presents. The team or committee must have a good
understanding of business needs, drivers and risk. This understanding is required before embarking on the digital business
transformation initiative because success takes more than technology.
Step 2
Select applicable design factors such as an enterprise strategy, enterprise goals, risk profile, the role of IT, the technology adoption
strategy and enterprise size.
Step 3
Select applicable focus areas such as digital transformation or cybersecurity.
Step 4
Apply the goals cascade. Stakeholder needs must be transformed into an enterprise’s actionable strategy. The goals cascade supports
metamorphosis of enterprise goals into priorities for alignment goals, which, in turn, helps in the selection of applicable governance
and management objectives based on the priorities.
Step 5
Design a tailored governance system.
Step 6
Prioritize governance and management objectives based on the selected governance and management objectives in step 4.
Step 7
Select applicable components of the governance system.

Step 8
Create a transformation road map. The road map needs to be holistic, ensuring that all priority governance and management
objectives are applied. By cutting back or cutting corners on some of the objectives, most enterprises will find that the
implementation and outcomes are unlikely to live up to stakeholder expectations.

Digital business transformation definitions should be documented and communicated to help everyone stay aligned and
mitigate the risk of misunderstanding.

Step 9
Activate transformation readiness. This step is critical, yet many organizations shift from strategy to execution without
sufficiently preparing.
The current level of transformation readiness needs to be assessed based on the following readiness factors:
•Organizational culture
•Governance
•Innovation capabilities
•Digital capabilities
•Transformation management capabilities
•Organizational structure
•Any challenges or barriers that might inhibit or derail transformation efforts
Adopt a matrix (capability maturity level) to help identify where each readiness factor needs to be on the maturity scale, and
agree on actions required to elevate each readiness factor from where it is now (current state) to where it needs to be (future
or target state) to meet the transformation challenge. Stakeholders should be realistic and not overly ambitious, but they
should not settle for a level of maturity that is inadequate and could put the transformation at risk.

Step 10
Implement and manage transformation. This is where stakeholders will begin to deploy or execute the strategy.
 Tokenization: Your Secret Weapon for Data Security?
Consider this: 4.1 billion records have been compromised in the first half of 2019 alone, a 54% increase over the same period in 2018.1
Organizations in nearly every industry are facing an ever-growing and out-of-control cybersecurity crisis.
Encryption is one of the most effective security controls available to enterprises, but it can be challenging to deploy and maintain across a
complex enterprise landscape. Instead, organizations often invest in simpler security methods such as perimeter defenses, enforcement of
password rules and applying patches in a timely way. But when these traditional defenses fail to hold up—and clearly, they are insufficient—
hackers make off with a treasure trove of your organization’s most sensitive data.
To fight back, a growing number of organizations are turning to tokenization as a cost-effective means to protect important data without
impacting ongoing operations. With tokenization, data are masked in ciphertext, making the data unidentifiable and useless to attackers.
Tokenization is an approach to protect data at rest while preserving data type and length. It replaces the original sensitive data with randomly
generated, nonsensitive substitute characters as placeholder data. These random characters, known as tokens, have no intrinsic value, but
they allow authorized users to retrieve the sensitive data when needed. If tokenized data are lost or stolen, they are useless to cybercriminals.
The tokenized data can also be stored in the same size and format as the original data. This is ideal for enterprise environments—especially
those with legacy systems—since the tokenized data require no changes in database schema or processes.
Minimizes Data Exposure
Applications will generally use tokens and only access real values when absolutely necessary. Tokenization was originally
developed for the credit card industry to reduce the scope of audits. Now, with the advent of lightweight yet powerful
tokenization solutions, any industry responsible for securing sensitive data—including data such as Social Security numbers,
birth dates, passport numbers and account numbers—can implement tokenization and minimize data exposure.
What About Implementation?
The implementation of tokenization throughout the enterprise is now fairly straightforward, thanks to vaultless tokenization.2 Legacy
methods of “vaulted” tokenization require maintaining databases with tokens and their corresponding real data. These token vaults
represent a high-risk target for theft. In addition, large token vaults often present complex implementation problems, particularly in
distributed, worldwide deployments. Implementation challenges surrounding vaulted tokenization are one of the reasons why
enterprises continue to leave sensitive data vulnerable to cyberattackers.
No Vault Database Required
In contrast, vaultless tokenization is safer and more efficient, while offering the advantage of either on-premises or cloud
deployment. In this model, a hardware security module (HSM)3 is used to cryptographically tokenize data. These data can then be
detokenized, returning the appropriate portion of a record for use by authorized parties or applications. In this model, there is no
token vault or centralized token database to maintain. Using network-level and representational state transfer application program
interfaces (REST APIs), tokenization can be efficiently integrated into nearly any enterprise environment.
Typically, the main application for tokenization has been the protection of credit and debit card numbers, both for payment and
nonpayment processes. However, the largest opportunity going forward is the general protection of sensitive data. The likelihood that
your organization will be breached is steadily increasing and, coupled with the skyrocketing costs related to data breach recovery, the
case for tokenization in the enterprise is compelling.
 Third-Party Risk Management Vs. Provider’s Accountability

Lately, I have been reflecting on the need to assess third-party risk and how other business sectors have mitigated this risk in
the past. I have concluded the origin for this need is what economists call a “market failure.”
The first issue worth noting is that our need for third parties to guarantee the security of the goods and services that they
provide us with is no different than our need for assurance that products we buy from an assembly line meet quality
standards, or our need to trust that the food we buy from the grocery store is safe to eat. We are facing a trust issue.
We need to be able to trust that third parties are providing organizations with goods and services that meet the level of
quality that organizations expect. Economists say that the best way to trust is to recognize that perfect information exists in
the market. Meaning that the consumer of a product or service can know the characteristics of the product or service before
purchasing it and can make a decision that considers all relevant factors.
But what happens when perfect information does not exist? Basically, markets need to develop alternative mechanisms to
provide it. And here is where we can find a big difference in how other sectors have solved this market failure compared to
the cybersecurity sector.
In other sectors, the answer has been accountability. If a car’s brakes fail under warranty, the vendor may be liable to replace
them and could have to bear the costs associated with a car accident. Those who put a product on the market must take
accountability for the behavior of their product in the case that it fails.
But what happens in the cybersecurity sector? It seems that since we have failed to establish a system to measure the level of
cybersecurity around a good (product or service), we have subsequently given up on defining a system of responsibility and
accountability for third parties. As a result, we must evaluate each product or service individually before using it, channeling
“trust, but verify.” But by evaluating each good on a product-by-product basis, this brings us closer to what economists
predict about markets with imperfect information: market collapse. Since customers cannot trust that goods have the level of
security they expect, they assume they have no security and, as a consequence, vendors that do produce secure goods are
expelled from the market due to higher production costs.
Imagine for a minute we are back in the time of the ancient Romans. Leaders may have had to designate a food tester to
ensure that their food was not poisoned. That is essentially what we are doing today in cybersecurity. We cannot trust our
vendors, so we must assess or audit each provider to check if they are trying to sell us a product with a low level of security.
It is urgent that the cybersecurity market develop objective and transparent assessment mechanisms that allow customers to
trust vendors. This would allow deceptive vendors to be expelled from the market instead of trustworthy ones.
Returning to the economy comparison, financial markets have used a rating mechanism for centuries as a tool to preserve
transparency. We should aim to emulate this mechanism in the cybersecurity sector, especially if no one is developing a
different solution.
 Optimize Enterprise Data and Uphold Privacy With ISACA’s DTEF

Enterprises can use data to efficiently provide services, market products to consumers, and make better decisions backed by
data.1 However, collecting excessive amounts of data without providing transparency regarding its usage could become a
privacy issue. It can be difficult for enterprises to find a balance between having the data needed to drive business decisions
while also respecting consumers’ privacy.
ISACA’s Digital Trust Ecosystem Framework (DTEF) can help enterprises ensure that broad organizational objectives and
goals—including those relying on collecting and processing personal information—align with privacy objectives and
compliance requirements. Each domain of the DTEF relates to privacy, and the privacy focus area emphasizes privacy by
design and feedback loops, all of which can help enterprises strike a balance between privacy and maximizing the value of
data.
Privacy and the DTEF
The DTEF model is three dimensional and contains four nodes: people, process, technology, and organization. The tension
that exists between these nodes comprises the DTEF’s domains. Figure 1 shows the DTEF model.
The DTEF leverages a systems thinking approach, i.e., it acknowledges that a change to one part of an organization will affect
other parts of the organization. For example, new technology will have ripple effects throughout the enterprise. It is this
systems thinking approach that allows enterprises utilizing the framework to ensure that the privacy department can be a
business enabler and align with overall enterprise goals. Enterprises that struggle with maximizing the value of their data
while protecting privacy can leverage the DTEF to determine areas in which organizational objectives may be at odds with
privacy objectives.
There are several examples of how the DTEF domains relate to privacy:
•Culture is a pattern of behaviors, beliefs, assumptions, attitudes, and ways of executing activities. External factors such as
geographic location and ethnicity can affect people, which, in turn, affects culture. From a privacy perspective, culture may
vary if consumers and staff are from a region that has strict privacy laws in place. This DTEF domain can help enterprises
manage various consumer expectations. Knowing how culture affects data subjects’ expectations and priorities can help guide
enterprises that are determining what data to collect and how it may be used.
•Emergence refers to the arising of new business opportunities, behaviors, processes, and other relevant items as the
subsystems between people and processes evolve. It is important to note that emergence is not always positive; people do
not always interact with processes in an ideal way. The adequacy decision about the EU-US Data Privacy Framework, which
addresses the transfer of personal data between the European Union and the United States,2 is an example of privacy-related
emergence.
•Enabling and support is the dynamic interconnection through which technology enables process, and process, in turn,
supports the deployment and operation of technology. Enabling and support can ensure that processes and technologies are
operating efficiently and in the desired manner. This domain can aid in the use of privacy by design in the creation and
delivery of products and services; it primarily addresses how processes and technology can incorporate privacy by design
principles. The enabling and support domain can ensure that new processes and technology are not configured in a way that
mandates the collection of excessive amounts of information.
•The human factors domain relates to how people interact with technology and the development of tools to facilitate the
achievement of specific goals. The human factors domain can help enterprises identify and remediate privacy dark patterns,
which are practices that make it difficult for system/product users to understand and express their privacy preferences. This
domain is critical to ensuring that enterprise use of data aligns with consumer expectations. It can set a baseline for what
consumer expectations are and help combat some of the challenges associated with lengthy privacy notices that consumers
may not read.
•The direct and monitor domain translates existing governance concepts and measures, encourages enterprises to meet their
missions and goals, and establishes boundaries and process-level controls. This domain can help enterprises ensure that their
privacy-related policies and procedures are defined. It can prevent a privacy strategy from being in opposition to other
enterprise strategies, i.e., ensuring that data privacy practices and data processing practices are in alignment.
•The architecture domain refers to the “fundamental concepts or properties of a system in its environment embodied in its
elements, relationships, and in the principles of its design and evolution.”3 The architecture domain, like the enabling and
support domain, can help enterprises practice privacy by design and incorporate it into the overall digital trust infrastructure.
This domain explicitly calls out the alignment between privacy objectives and enterprise objectives, which can ensure that
data is used according to privacy requirements.
Privacy by Design
Privacy by design refers to the integration of privacy into the entire engineering process. Privacy by design can help
enterprises ensure that new products align with privacy objectives and protect individuals’ data. Although privacy by design
can protect data subjects and is mandatory in some jurisdictions,4 some enterprises struggle to incorporate it. Only 29% of
respondents to a recent ISACA survey say they always practice privacy by design.5
It is understandable that privacy by design can be challenging in practice; privacy can affect nearly every part of the
enterprise, and all initiatives involving personal information should incorporate privacy safeguards. The privacy focus area of
the DTEF can help organizations better grapple with all the areas in which privacy professionals should be involved. This
comes from the privacy focus area’s emphasis on identifying applications/technology processing personal information and
aligning with privacy objectives and compliance requirements. Privacy professionals who understand which applications and
processes involve personal data can work to ensure that they are operating in ways consistent with privacy objectives.
The privacy focus area explores the specific ways in which privacy should be considered. It emphasizes when privacy
considerations need to be made, e.g., ensuring that policy life cycles align with privacy objectives and compliance
requirements. It helps privacy professionals work crossfunctionally and can spur collaboration. For example, there is an
activity in the privacy focus area about including privacy risk in the risk scenario inventory. This can help break down
organizational silos, e.g., risk activities not factoring in privacy-specific risk, and embed privacy across the organization.
Feedback Loops
Privacy professionals must prioritize protecting personal information and the people to whom that information belongs.
Enterprises often struggle to maintain trust with consumers when privacy practices do not meet consumers’ expectations.
This can happen for a few reasons: Enterprises are not always clear about what data they are collecting and why they are
collecting it, and consumers may not have the time or expertise needed to understand what a terms of service document or
privacy notice is actually explaining.
Ninety percent of consumers accept terms and conditions without reading them.6 Some of this is because terms and
conditions are lengthy, filled with jargon, and difficult to understand. For example, reading Microsoft Teams’ terms of service
would take almost two and a half hours.7
Given that enterprises cannot force consumers to read terms of service agreements, and they may be legally required to
share lengthy, complex documents detailing privacy practices, ensuring that consumer expectations and enterprise practices
align is imperative. This can be done by periodically collecting feedback about privacy practices.
The DTEF’s emphasis on feedback loops (both internal and external) can help align enterprise use of personal information
with privacy objectives and consumer expectations. For example, one privacy activity involves optimizing user experience for
usability and alignment with privacy objectives based on quantitative and/or qualitative data. The DTEF emphasizes the
iterative nature of these activities; as the ecosystem, consumer expectations, and data processing practices change, feedback
should be gathered to ensure that any new initiatives meet consumer expectations.
Regularly capturing this feedback ensures that the data an enterprise collects and uses aligns with consumer expectations
about privacy. This can help enterprises maximize the insights and value data provides without damaging trust with data
subjects.
Conclusion
Trust with consumers can benefit revenue growth, an
organization’s reputation, and customer loyalty.8 Privacy
violations, such as using data for purposes other than what it
was originally collected for, can significantly harm the trust
between an individual and an enterprise.9 To best maximize the
value of data while respecting consumers’ privacy, enterprises
should practice privacy by design and solicit feedback from
consumers. ISACA’s DTEF is a powerful resource that can help
ensure privacy is embedded throughout the enterprise and
works to build trust and support the organization’s objectives.
Explore the Digital Trust Ecosystem Framework Foundation Certificate
Validate your knowledge of digital trust concepts, significance and implications, and the underlying principles and
components of the Digital Trust Ecosystem Framework (DTEF) by earning the DTEF Foundation Certificate.
Digital Trust Ecosystem Framework a Valuable
Complement to COBIT, Other Frameworks

ALIREZA GHASEMI